Privacy policy

BloomsPal Privacy Policy & Amazon SP-API Data Handling

Last updated: [add date]

BloomsPal (“we”, “our”, “us”) operates a cross-border fulfillment and e-commerce enablement platform that allows brands to sell directly to U.S. customers through online marketplaces including Amazon, Shopify, and Walmart.

This Privacy Policy describes how we collect, use, store, protect, share, and dispose of personal information, including data obtained through Amazon Selling Partner API (“Amazon Information”).

1. Information We Collect

We may collect:

• Contact information (name, email, phone) through our website
• Business account information for brands using our platform
• Order and fulfillment data required to process shipments
• Amazon buyer information obtained exclusively through authorized SP-API access, including:

  • Customer name

  • Shipping address

  • Contact details

  • Order and shipment identifiers

2. Purpose of Data Use

Personal data is used strictly for:

• Order processing and fulfillment
• Shipping label generation
• Customs documentation for international trade
• Delivery coordination and customer communication
• Returns and exchanges

Amazon Information is never used for advertising, marketing, profiling, or resale.

3. Storage & Security Controls

BloomsPal stores all data on secure AWS cloud infrastructure with:

• AES-256 encryption at rest
• TLS encryption in transit
• Role-based access control (RBAC)
• Multi-factor authentication (MFA)
• Continuous monitoring and audit logging
• Encrypted automated backups

Access to Amazon PII is limited strictly to authorized logistics personnel and DevOps administrators under least-privilege principles.

4. Data Sharing

Amazon Information is shared exclusively with essential fulfillment partners, including:

• International carriers 
• Authorized customs brokers
• Approved third-party logistics providers

All data exchanges occur through encrypted channels under signed data processing agreements and strictly for order fulfillment execution.

No Amazon buyer data is shared for marketing or commercial analytics purposes.

5. Data Retention & Disposal

Amazon PII is retained only as long as operationally required:

• Typically 31–90 days after order shipment

After this period, data is securely deleted or anonymized from production systems and backups through automated lifecycle policies.

6. Incident Response & Reporting

BloomsPal maintains a documented incident response plan that includes:

• Continuous security monitoring
• Immediate containment procedures
• Root cause investigation
• Mandatory notification to Amazon at security@amazon.com within 24 hours of any potential exposure
• Post-incident remediation and security enhancements

7. Testing & Development Environments

Production Amazon PII is never used in development or testing environments.

Only synthetic, fictitious data is used for testing purposes in isolated systems.

8. Credential Protection

All system credentials and API keys are managed using AWS Secrets Manager with:

• Encryption
• Automatic rotation
• No hard-coded secrets
• Access restricted by IAM roles

9. Your Rights & Data Protection

We comply with applicable data protection regulations including U.S. privacy standards and GDPR-aligned principles, including:

• Data minimization
• Purpose limitation
• Secure processing
• Right to deletion where applicable

10. Contact for Data & Security Matters

Security Incident Management Point of Contact (IMPOC)
William Orlando Cuervo – Security Officer
📧 william@bloomspal.com

Technical IMPOC
William Camilo Bayona – DevOps Team Lead
📧 camilo@bloomspal.com